In light of the most recent disclosure for Pulse Secure VPN solution I wanted to provide a quick guide to creating detection for this attack.

Brief Backstory — FireEye detected 12 malware families and multiple threat actors abusing Pulse Secure vulnerabilities. The most recent vulnerability, CVE-2021–22893, allows for RCE. A detailed explanation can be found HERE.

From a high level the things we’re interested in alerting on are requests/activity for/to some very specific URIs/files. Those are as follows:

  • /home/bin/memread
  • /home/runtime/logs/*
  • /tmp/1
  • meeting_testjs.cgi
  • /home/runtime/logs/*
  • /home/perl/
  • ive-host/dana-na/auth/
  • /tmp/dsactiveuser.statementcounters
  • /tmp/dsstartssh.statementcounters
  • /tmp/dsserver-check.statementcounters
  • compcheckjava.cgi
  • compcheckresult.cgi
  • memread
  • licenseserverproto.cgi
  • dana-na/auth/recover.cgi
  • downloadlicenses.cgi
  • *dana*
  • *meeting*
  • *fb*
  • *smb*
  • *dana-cached*
  • *dana-ws*
  • *metric*
  • *namedusers*

In Splunk you can alert on these this way:

index=*_main sourcetype=pulsesecure ((“/home/bin/memread” OR “/home/runtime/logs/” OR “/tmp/1” OR “meeting_testjs.cgi” OR “/home/runtime/logs/” OR “/home/perl/” OR “ive-host/dana-na/auth/” OR “/tmp/dsactiveuser.statementcounters” OR “/tmp/dsstartssh.statementcounters” OR “/tmp/dsserver-check.statementcounters” OR “compcheckjava.cgi” OR “compcheckresult.cgi” OR “” OR “memread” OR “licenseserverproto.cgi” OR “dana-na/auth/recover.cgi” OR “downloadlicenses.cgi”) OR ((((“*dana*”) ((“*meeting*”) OR (“*fb*” “*smb*”))) OR (“*dana-cached*” “*fb*” “*smb*”)) OR ((“*dana-ws*”) (“*metric*” OR “*namedusers*”))))
| stats count values(message) as message values(src_ip) as src_ip values(temp_info) as temp_info latest(_time) as ltime values(direction) as direction values(vendor_product) as vendor_product values(protocol) as protocol by index,dest,sourcetype

Happy Hunting

Cyber Security enthusiast, detection developer and engineer, researcher, consultant.